Feds Own Cybersecurity Efforts Are A Joke: Employees Have 'Gone Rogue' To Avoid 'Ineptitude' Of IT Staff

from the get-your-house-in-order dept

One of the key parts of the various cybersecurity bills that have been pushed over the past few years is the idea that the federal government would help the private sector better protect against attacks. Of course, for that to makes sense, you'd think that the federal government would have its own "cybersecurity" house in order. However, a report from the Senate shows what even it describes as "ineptitude" by various government agencies. Pick your agency and you'll find problems. Let's take a look at Homeland Security, one of the agencies that has been vying for control of the federal cybersecurity budget. Turns out that DHS's own cybersecurity team repeatedly failed to install basic security updates for easy targets of hackers like Microsoft applications and Java (tip: if you're using Java, you're probably not secure). As the report notes, this is "the sort of basic security measure just about any American with a computer has performed." But not DHS cybersecurity employees!

Computers controlling physical access to DHS facilities whose antivirus software
was out of date. Twelve of the 14 computer servers the IG checked
in 2012 had anti-virus definitions most recently updated in August 2011. Several of the servers also lacked patches to
critical software components.

Oh, and then there's the following concerning our good friends at ICE, Immigrations and Customs Enforcement, the group that styles themselves as Hollywood's personal police force:

To take just one example, weaknesses found in the office
of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For
Official Use Only) documents left out, three keys, six unlocked laptops--
even two credit cards
left out.

Moving on to the Nuclear Regulatory Commission. Here things are so bad that the report notes that NRC employees believe their own IT staff is "inept" and they've "gone rogue."

Perceived ineptitude of NRC technology experts.
There is such “a general lack of confidence” in the NRC’s information technology division that NRC offices have effectively
gone rogue–by buying and deploying their own computers and networks without the knowledge or involvement of the department’s so-called IT experts. Such “shadow IT” systems “can
introduce security risks when unsupported hardware and software are not subject to the same
security measures that are applied to supported technologies,”
the NRC Inspector General
reported in December 2013.

And this has resulted in a bunch of problems, such as storing sensitive data on unsecured shared drives, including the details of the NRC's cybersecurity programs. Also on an unsecured shared drive? A commissioner's passport photo, credit card image, home address and phone number. The NRC also failed to report security breaches:

How often does the NRC lose track of or accidentally expose sensitive information to possible release? The NRC can't say, because it has no official process for reporting such breaches.

Moving on to everyone's favorite government agency: the IRS. The report notes that every year the GAO finds 100 cybersecurity weaknesses in IRS systems, and the IRS fixes half of them. Then the GAO does another audit... and finds another 100 problems with the IRS's cybersecurity. Among the problems? Failure to encrypt sensitive data. Failure to fix known vulnerabilities. And, the ever popular weak passwords:

Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology. In
some cases, IRS users had not changed their passwords in nearly two years. As a result
someone might gain unauthorized access to taxpayers’ personal information and it “would be
virtually undetectable,” potentially for years.
GAO has cited IRS for allowing old, weak
passwords in every one of its reports on IRS’ information security for the past six years.

How about an organization like the SEC, who deals with tons of sensitive information? Apparently, they're so careless and cavalier about this stuff they used personal email accounts, unencrypted information and often used unsecured open WiFi connections -- including once at "a convention of computer hackers."

Team members transmitted sensitive non-public information about major financial
institutions using their personal e-mail accounts. They used unencrypted laptops to store
sensitive information, in violation of SEC policy--and contravening their own advice to the stock exchanges. Their laptops also lacked antivirus software. The laptops contained “vulnerability assessments and maps and networking diagrams of how to hack into the
exchanges,” according to one SEC official.

The investigation also found that members of the team took work computers home in
order to surf the web, download music and movies, and other personal pursuits. They also appeared to have connected laptops containing sensitive information to unprotected wi-fi networks at public locations like hotels--in at least one reported case, at a convention of computer hackers.

And yet these folks claim they can help secure everyone else's computers?

Of course they can!

Seems I have to correct yet another instance of a common conflation of entirely different uses of Java.

The insecurities in Java stem from its use to run applets in a Web browser. This usage dated from long before Dynamic HTML became as powerful as it is today. Java applets are obsolete and nobody should be using them any more.

Howver, other uses of Java (e.g. for desktop apps) are no more insecure than any other programming language. Consider the trouble you can get into with C and C++, yet nobody claims those languages are “insecure”.

(Dis)claimer: I use Java for Android programming, but only because I have to. I freely admit that it is a verbose and repetitive language. When normal people say that programming is a tedious and boring activity, they clearly have languages like Java and PHP in mind.

Want a language that offers great power and flexibility and is fun to use? Try Python.

Re: Java, the most dangerous software on the Internet

@Laurence D'Oliviero:

"The insecurities in Java stem from" Oracle degrading the quality of Java applet programming such that the original default sandboxing was DESTROYED. Don't expect Oracle to fix it. Obviously, they'd rather keep cleaning up after their puppy suffering PWN-The-User diarrhea.

My advice: Just say 'NO' to the Java Internet plug-in. If any website dares require it, tell them to get rid of it. Java is the single most dangerous software you can run on the Internet.

Re: Say what?

Yes, it is the point, but the problem is that home-grown solutions are rarely better, and often worse, from a security standpoint than the IT department they're trying to work around.

Honestly I've been on both sides of this argument... As an IT support person who's had to go in and take over a rogue operation after it self destructed spectacularly, and a "rogue operator" who had to deal with an IT department that grew up around our existing infrastructure and slowly tried to whittle away our autonomy. In both cases I felt my group was in the right, and I could spend hours telling you why, but I'm obviously a bit biased.

Funnily enough, the second case was a Federal agency (the FAA), and I did think some particularly unkind things at our IT...

Re: Re: Say what?

Yup! The average engineer I work with is incompetent to secure his machine and just not interested. However, we have this job to do, involving CUSTOMERs, and I promise you that IT can very much get in the way of that, especially with its delays and lax and often high-handed attitude, and, for some strange reason, my organisation doesn't ask for basic security measures like not running Internet Explorer.

Effective IT security has to be very much a two-way street. IT has to be competent enough and responsive enough that users don't NEED to set up their own systems to get their work done. Otherwise, the two go their separate ways, and both of Mr Best's stories are, unfortunately, very predictable!

Re: Re: Say what?

The problem is balancing security and usability. Having been on both sides, it's usually the IT department's blind focus on security and/or budget with little regard to usability that creates the adversarial relationship. Then add public regulations written by clueless bureaucrat that constricts any form of commonsense and makes everyone miserable.

Re: Re: Say what?

Whether homegrown solutions are better or not tends to depend on how bad the official IT is and who is doing the growing.

If the official IT guys are going around setting everybody's password to 'password' then almost any homegrown scheme will be superior -- even if it's just adding a number to the password against the IT department's orders.

Re: Say what Christopher Best?

Hello CBimerrow formerly of IT support! I didn't know any other way to reply to you, about what I read on the TechDirt insider chat thingy. That's where y'all talk to each other and we get read access. You mentioned something that I noticed and winced at (just like you did, when you said, "it burns!") but no one talks about. Same as the reaction on TechDirt Insider chat; no one replied to you, re this hxxp://gizmodo.com/sochi-official-our-shower-surveillance-footage-says-ho-1517435247?utm_campaign=so cialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflowI agree, it is unsightly! The UTM's are for Google, or other web analytics "campaign metrics". I strip them away whenever I post or send a URL. They look cheezy. Even if I'm using a URL shortener, I want that crud gone. I was curious why the person you were IM chatting with didn't post this instead, hxxp://gizmodo.com/sochi-official-our-shower-surveillance-footage-says-ho-1517435247 Is it considered immoral or rude to excise the crud, because the URL creator can't surveil (track?) as well? That URL was so lengthy that it forced the sidebar chat widget to scroll out to 4 times width!

For etiquette's sake, I'll return to the current topic. Why don't these comments have any respect for IT? IT departments are NOT always clueless bureaucrats who don't know how to set a password other than to "password". Someone else described how their IT department isolated Macs because of PC viruses (I didn't say that quite right, it's down below). Just maybe, the IT guys know something that the users don't know, about security. The user's job, in this case, is to be a developer. IT doesn't sit around all day doing nothing. Their job, among other things, is to be real-time up to date about viruses. Macs are not immune, regardless of OS used. Even computers running Linux can be vulnerable.

As for getting in the way of business and customers, I learned the hard way that IT needs to be consulted. I worked on a project using PHI (protected health information). At the beginning, before we bid on the contract, one of our IT guys warned us that there would be problems with using VolP as part oF the dEliverable, that HIPAA didn't allow it, in that context. Client said it would be okay, but didn't check with their own IT guy, nor anyone else. So we did months of work and sure enough, our IT guy was right. We should have spent some time to see if he were correct, before proceeding further. We were still paid, nothing terrible happened. Client had to spend more though, for us to do (lots of tedious) changes.

IT security can be a huge pain to deal with, like a law enforcement bureaucracy in your midst, e.g. a visit from Tyler in Data Security was much worse than having the Assistant District Attorney stop by to "ask you a few questions"! It is management's job to reign in overzealous IT, or replace any who are incompetent.

But... "Data wants to be free!" -- Why worry about this?

Geez, on the one hand you celebrate "hackers" who try to break in and "liberate" data, but when people help that, you complain!

[You kids are welcome to censor this too, only shows why no one reasonable should post here. Seems to be a deal of resistance to the clear fact that every one of the tactics available to you has a drawback, but you keep on doing it! I name it "out_of_the_blue effect".]If you like yapping ankle-biters, you'll love Techdirt! (25 of 195)

Re: But... "Data wants to be free!" -- Why worry about this?

Public data, things that are supposed to be open to the public, shouldn't be locked up in bureaucracy or behind paywalls. Private data, things that are not supposed to be open to the public, shouldn't be so weakly protected. It's simply enough for even you to understand, blue.

And no one said that it should be easy to get private data, especially with all of the info the government insist on keeping on everyone.

BTW blue, you keep getting reported for ranting and raving about things that are usually completely off topic, like google. BTW, I do NOT like them. Their search is not that great, still better than most, and their ad service is beyond intrusive, but any competent person can install an app to cull unwanted ads and scripts. I primarily use an ad/script blocker as a matter of security. Getting rid of the cruft is an added bonus.

How Secure are the Armed Forces?

I worked for the Air Force for a while, and I never once saw anything remotely this bad at the base I worked at. They actually did a good job of security.We had card keys that MUST be plugged into the machine to work, and when you unplugged them the computers auto-locked. Not to mention to open basically any door you also needed said key card, so very very few computers were ever left unlocked.I just wonder how the Armed Forces fared for said IT audit.

Re: How Secure are the Armed Forces?

As a consultant for both the Navy and Army over the years, my experience has been the opposite. I had responsibility for maintaining many highly sensitive databases that were configured with default passwords for privileged accounts, on networks open to the web, listening on default ports.

Usually, I could convince them to change default passwords. A few times I had to threaten to quit to get my point across. One facility absolutely refused and I did leave, but they didn't work with anything important, just aircraft carriers and fast attack submarines.

Prior to Y2K, a facility I was working at was warned of a possible cyber-terrorism event. Their solution was to unplug everything. Literally. We worked for three days labeling every cable (power, network, SCSI, keyboards, monitors, mice) that went in and out of every machine in our facility. Then we powered them down and unplugged everything. EVERYTHING. At both ends.

There was actually a procedure developed for how to place floor tiles in the server room so Naval Intelligence could verify machines were disconnected from their power supply.

Because cyber terrorism apparently figured out a way to defeat the insulating properties of air gaps.

We took everything down for multiple mission critical national defense systems that directly supported (hmm, best way to say this?) "capabilities" two days before Y2K, and left them that way for almost a week. We even disconnected the UPS. Because, terrorism.

We still had to come in to work. No phones. No network. No building security because the card scanners were powered off, just Marines checking your ID at the doors that (no joke) had been taped open. No computers. The only thing that had power were the lights and the coffee makers in the break rooms.

When I pointed out that we were essentially doing, on our own, what the terrorists reportedly intended to do, I was told that this was "on our terms."

Re: Matthew 7:3

by-passing everyone else, these are the 'security agencies' that the MPAA,RIAA etc use to track and prosecute alleged file sharers! not only are they not doing the job they have been employed to do, they are doing the same things as those they accuse in order to prosecute! that's showing a real lack of bias, i dont think!!

As a former contractor that worked for the US Forest Service for 6 years, I could tell all kinds of tales.

User passwords had to change every 90 days, has to contain x number of characters, etc, but any user could self promote to admin on any machine to reduce the call load to the help desk.

Users where instructed to not install unauthorized software, but never saw anyone disciplined for doing so. About twice a year Firefox would be remotely uninstalled from my machine and the next day I would self promote myself and reinstall it again.

Their security basically boiled down to telling users what they should and shouldn't do without really enforcing any of it.

Leaving the PWN Gates Open

#MyStupidGovernment is infamous for allowing China to bot every federal computer exposed on the Internet from 1998 through 2007. That's 9 years of China blatantly owning government computers before the feds were willing to admit it in public. That is pure incompetence.

I don't expect much better IT competence today. Instead, the federal response has been to go off the rails PWNing the PWNers as well is unconstitutionally surveilling US citizen on US soil without 'probably cause', therefore without a legal warrant. #MyStupidGovernment at work.

They finally figured out what DEFCON and the other hacker conventions have known for a number of years?

Hell, wall of sheep is all they need to prove that the "good guys" aren't good at computer security. Most of wall of sheep is folks trolling, but there still are an awful lot of unencrypted SMTP/POP3 traffic at any of those conferences going to .mil and .gov servers.

Thats because, when they talk about "cyber security" their "secret" interpretation is their ability to survey the shit out of you......and not the common sense NORMAL person, self defence aspect of "cyber security"

Isn't it about time to stop demonizing personal email accounts? The NSA has already compromised every private email service and email encryption scheme - email addresses issued by employers are no more safe than Yahoo! mail these days.

Re:

Well, first, let's not exaggerate what the NSA has done. They have not "every private email service and email encryption scheme" by a longshot.

Even if they had, there are still very, very good reasons that private email accounts should never be used for company (and especially government) business:

1) Accountability. in many cases, particularly with the government, there is a requirement to keep emails archived for accountability purposes. Using a private account bypasses those systems and enables corrupt practices.

2) Companies can harden email systems in ways that you'd never tolerate for your personal email. Good security always comes at the cost of convenience.

3) Security that you are in control of is better than security you're relying on other parties to provide. Relying on Yahoo, Google, or whatever to give make you secure is a compromise you might be willing to accept (see point #2), but it isn't something that a company should be willing to do.

4) More limited attack surface. If you're using a major email provider, the attack surface is also much larger. A proper company email system can have a really small attack surface. Small attack surface means it's harder for an attacker to find a way to compromise the system.

5) Liability. If you have sensitive company data sitting in emails in your personal account, and that account is compromised, the fault is yours and you can be held liable. If you keep it on company servers, you have no such exposure.

NRC was a joke

I worked at a nuclear plant and my experience with the NRC (and security at nuclear facilities in general) is consistent with the report.

We had a team of developers that thought it would be funny to code a joke into one of their applications to mess with specific "troublesome" operators by generating random, meaningless error messages for those individuals and force them to restart the application.

After some more thinking, exactly how did these "rouge" IT groups ever exist?If you go to any of our network ports you can't just plug in a computer and have it connect to the network. You MUST be on the domain with all the right proxy settings and other items.

They IT staff really must have been incompetent for the shadow IT groups to even have a capability to get off the ground.

RE: RE

Those of us in the private sector spend mega-dollars and hours to implement FISMA if we want government grants. Why don't they have to follow their own regs? FISMA was written by NIST as mandatory practices for ALL government agencies.

It's also a joke to hear Target talk about chips in credit cards as a security cure when employees use default passwords. Ask RSA if the biggest problems are hackers or users.

SEC OMG!

Thank you, thank you, thank you, TechDirt and Mike Masnick for sharing this with us! And thank you for so kindly posting the full text of the document.

I knew about the NRC having no reporting procedure to track breaches pertaining to accidental release of sensitive information, because I noticed an entry in the Federal Register (or somewhere similar) saying that they needed to draft and instate one, in October or November last year. I wasn't aware of the pervasive carelessness in so many other U.S. government departments though.

The SEC is my primary interest. Lax security increases exchange infrastructure vulnerability. There is another concern, namely, the always-tempting opportunity to exploit and profit from unauthorized access to material non-public information.